Microsoft security software detects and removes this threat.

The threat is a detection for shortcut files (LNK) created by variants of the Ransom:Win32/Reveton family of ransomware, which lock your computer and demand you pay a fine.

It's likely your PC has also been infected with other malware from the Ransom:Win32/Reveton family.

You can read more on our ransomware page.

Find out ways that malware can get on your PC.

What to do now

Microsoft doesn’t recommend you pay the fine. There is no guarantee that paying the ransom will give you access to your files.

If you've already paid, see our ransomware page for help on what to do now.

Run antivirus or antimalware software

Use the following free Microsoft software to detect and remove this threat:

You should also run a full scan. A full scan might find hidden malware.

Advanced troubleshooting

To restore your PC, you might need to download and run Windows Defender Offline. See our advanced troubleshooting page for more help.

Get more help

You can also visit our advanced troubleshooting page or search the Microsoft virus and malware community for more help.

If you’re using Windows XP, see our Windows XP end of support page.

Threat behavior

This is a detection for shortcut files (LNK) created by variants of the Ransom:Win32/Reveton family. If your PC is detected with this threat, then it is likely that you have also been infected with a Ransom:Win32/Reveton variant.

Ransom:Win32/Reveton variants arrive on your PC with a random name. They create a shortcut file in the Windows startup folder with the LNK extension, for example <startup folder>\ctfmon.lnk, to ensure the trojan is run every time you log on to Windows.

The Ransom:Win32/Reveton!lnk shortcut file uses an icon that resembles the following:

When opened, either by Windows when you log on, or manually if you click the shortcut, the link runs an installed copy of the Ransom:Win32/Reveton variant. We have seen it try to run the following variants, among others:

Analysis by Wei Li


The following could indicate that you have this threat on your PC:

  • You have this file, or something similar:

    <startup folder>\ctfmon.lnk

  • You see this shortcut in your startup folder:


Alert level: Severe
First detected by definition: 1.131.1573.0
Latest detected by definition: 1.209.834.0 and higher
First detected on: Aug 07, 2012
This entry was first published on: Aug 07, 2012
This entry was updated on: Nov 20, 2014

This threat is also detected as:
  • CXmal/RnsmLnk-A (Sophos)
  • Trojan.LNK.Reveton (Ikarus)